main/openssh: backport security fix (CVE-2018-15473)

fixes #9317
author: Natanael Copa <ncopa@alpinelinux.org> 2018-08-22 08:56:21 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2018-08-22 08:56:21 +0000
commit: c314d18b4e1c932d8670c49f265f919242b7a17b (patch)
tree: 6a63d1d4323db9d3e1e64e79fc7964eaedc3124a /main/openssh
parent: 778979325b80c0140f80ecb4558828ed3e8544f4 (diff)
download: aports-c314d18b4e1c932d8670c49f265f919242b7a17b.tar.bz2
aports-c314d18b4e1c932d8670c49f265f919242b7a17b.tar.xz
2 files changed, 151 insertions, 1 deletions
diff --git a/main/openssh/APKBUILD b/main/openssh/APKBUILD
index 758157e31d..4242bf210f 100644
--- a/main/openssh/APKBUILD
+++ b/main/openssh/APKBUILD
@@ -4,7 +4,7 @@
 pkgname=openssh
 pkgver=7.7_p1
 _myver=${pkgver%_*}${pkgver#*_}
-pkgrel=3
+pkgrel=4
 pkgdesc="Port of OpenBSD's free SSH release"
 url="http://www.openssh.org/portable.html"
 arch="all"
@@ -35,10 +35,13 @@ source="http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$pkgname-$_myver.tar
 	bsd-compatible-realpath.patch
 	sftp-interactive.patch
 	disable-forwarding-by-default.patch
+	CVE-2018-15473.patch
 	sshd.initd
 	sshd.confd
 	"
 # secfixes:
+#   7.7_p1-r4:
+#     - CVE-2018-15473
 #   7.5_p1-r8:
 #     - CVE-2017-15906
 #   7.4_p1-r0:
@@ -199,5 +202,6 @@ f35fffcd26635249ce5d820e7b3e406e586f2d2d7f6a045f221e2f9fb53aebc1ab1dd1e603b33894
 f2b8daa537ea3f32754a4485492cc6eb3f40133ed46c0a5a29a89e4bcf8583d82d891d94bf2e5eb1c916fa68ec094abf4e6cd641e9737a6c05053808012b3a73  bsd-compatible-realpath.patch
 c1d09c65dbc347f0904edc30f91aa9a24b0baee50309536182455b544f1e3f85a8cecfa959e32be8b101d8282ef06dde3febbbc3f315489339dcf04155c859a9  sftp-interactive.patch
 8df35d72224cd255eb0685d2c707b24e5eb24f0fdd67ca6cc0f615bdbd3eeeea2d18674a6af0c6dab74c2d8247e2370d0b755a84c99f766a431bc50c40b557de  disable-forwarding-by-default.patch
+3f8d0b8547965c47ac8980d45a55f48472a60a2cbba3d552cb3a8c383455830e309b2df4e0afd4b01a53b7e45197fc172760e41302c10fdd0b55dbb85a6d9d87  CVE-2018-15473.patch
 bcd56bebe37acb69986abd247d6b74daf7dde1712f30640244a1dd70c505a6a536c5536bef11345e128b6785e1c8ff9736627556e702218805fb14b23bd7047c  sshd.initd
 ec506156c286e5b28a530e9964dd68b7f6c9e881fbc47247a988e52a1f9cd50cbfaf4955c96774f9e2508d8b734c4abf98785fbaa75ae6249e3464b5495f1afc  sshd.confd"
diff --git a/main/openssh/CVE-2018-15473.patch b/main/openssh/CVE-2018-15473.patch
new file mode 100644
index 0000000000..77e71727aa
--- /dev/null
+++ b/main/openssh/CVE-2018-15473.patch
@@ -0,0 +1,146 @@
+From 779974d35b4859c07bc3cb8a12c74b43b0a7d1e0 Mon Sep 17 00:00:00 2001
+From: djm <djm@openbsd.org>
+Date: Tue, 31 Jul 2018 03:10:27 +0000
+Subject: [PATCH] =?UTF-8?q?delay=20bailout=20for=20invalid=20authenticatin?=
+ =?UTF-8?q?g=20user=20until=20after=20the=20packet=20containing=20the=20re?=
+ =?UTF-8?q?quest=20has=20been=20fully=20parsed.=20Reported=20by=20Dariusz?=
+ =?UTF-8?q?=20Tytko=20and=20Micha=C5=82=20Sajdak;=20ok=20deraadt?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+---
+ usr.bin/ssh/auth2-gss.c       | 11 +++++++----
+ usr.bin/ssh/auth2-hostbased.c | 11 ++++++-----
+ usr.bin/ssh/auth2-pubkey.c    | 25 +++++++++++++++----------
+ 3 files changed, 28 insertions(+), 19 deletions(-)
+
+diff --git a/usr.bin/ssh/auth2-gss.c b/usr.bin/ssh/auth2-gss.c
+index 649c830916a..c919ef4c353 100644
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -69,9 +69,6 @@ userauth_gssapi(struct ssh *ssh)
+ 	u_int len;
+ 	u_char *doid = NULL;
+ 
+-	if (!authctxt->valid || authctxt->user == NULL)
+-		return (0);
+-
+ 	mechs = packet_get_int();
+ 	if (mechs == 0) {
+ 		debug("Mechanism negotiation is not supported");
+@@ -101,6 +98,12 @@ userauth_gssapi(struct ssh *ssh)
+ 		return (0);
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		free(doid);
++		return (0);
++	}
++
+ 	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
+ 		if (ctxt != NULL)
+ 			ssh_gssapi_delete_ctx(&ctxt);
+diff --git a/usr.bin/ssh/auth2-hostbased.c b/usr.bin/ssh/auth2-hostbased.c
+index ad335555934..fb5e5f42272 100644
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
+@@ -66,10 +66,6 @@ userauth_hostbased(struct ssh *ssh)
+ 	size_t alen, blen, slen;
+ 	int r, pktype, authenticated = 0;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	/* XXX use sshkey_froms() */
+ 	if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
+ 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
+@@ -116,6 +112,11 @@ userauth_hostbased(struct ssh *ssh)
+ 		goto done;
+ 	}
+ 
++	if (!authctxt->valid || authctxt->user == NULL) {
++		debug2("%s: disabled because of invalid user", __func__);
++		goto done;
++	}
++
+ 	if ((b = sshbuf_new()) == NULL)
+ 		fatal("%s: sshbuf_new failed", __func__);
+ 	/* reconstruct packet */
+diff --git a/usr.bin/ssh/auth2-pubkey.c b/usr.bin/ssh/auth2-pubkey.c
+index 195da5e2111..af9e5f04c45 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -86,19 +86,15 @@ userauth_pubkey(struct ssh *ssh)
+ {
+ 	Authctxt *authctxt = ssh->authctxt;
+ 	struct passwd *pw = authctxt->pw;
+-	struct sshbuf *b;
++	struct sshbuf *b = NULL;
+ 	struct sshkey *key = NULL;
+-	char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
+-	u_char *pkblob, *sig, have_sig;
++	char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
++	u_char *pkblob = NULL, *sig = NULL, have_sig;
+ 	size_t blen, slen;
+ 	int r, pktype;
+ 	int authenticated = 0;
+ 	struct sshauthopt *authopts = NULL;
+ 
+-	if (!authctxt->valid) {
+-		debug2("%s: disabled because of invalid user", __func__);
+-		return 0;
+-	}
+ 	if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
+ 	    (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
+ 	    (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
+@@ -164,6 +160,11 @@ userauth_pubkey(struct ssh *ssh)
+ 				fatal("%s: sshbuf_put_string session id: %s",
+ 				    __func__, ssh_err(r));
+ 		}
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			goto done;
++		}
+ 		/* reconstruct packet */
+ 		xasprintf(&userstyle, "%s%s%s", authctxt->user,
+ 		    authctxt->style ? ":" : "",
+@@ -180,7 +181,6 @@ userauth_pubkey(struct ssh *ssh)
+ #ifdef DEBUG_PK
+ 		sshbuf_dump(b, stderr);
+ #endif
+-
+ 		/* test for correct signature */
+ 		authenticated = 0;
+ 		if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
+@@ -191,7 +191,6 @@ userauth_pubkey(struct ssh *ssh)
+ 			authenticated = 1;
+ 		}
+ 		sshbuf_free(b);
+-		free(sig);
+ 		auth2_record_key(authctxt, authenticated, key);
+ 	} else {
+ 		debug("%s: test pkalg %s pkblob %s%s%s",
+@@ -202,6 +201,11 @@ userauth_pubkey(struct ssh *ssh)
+ 		if ((r = sshpkt_get_end(ssh)) != 0)
+ 			fatal("%s: %s", __func__, ssh_err(r));
+ 
++		if (!authctxt->valid || authctxt->user == NULL) {
++			debug2("%s: disabled because of invalid user",
++			    __func__);
++			goto done;
++		}
+ 		/* XXX fake reply and always send PK_OK ? */
+ 		/*
+ 		 * XXX this allows testing whether a user is allowed
+@@ -235,6 +239,7 @@ userauth_pubkey(struct ssh *ssh)
+ 	free(pkblob);
+ 	free(key_s);
+ 	free(ca_s);
++	free(sig);
+ 	return authenticated;
+ }
+
author	Natanael Copa <ncopa@alpinelinux.org>	2018-08-22 08:56:21 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2018-08-22 08:56:21 +0000
commit	c314d18b4e1c932d8670c49f265f919242b7a17b (patch)
tree	6a63d1d4323db9d3e1e64e79fc7964eaedc3124a /main/openssh
parent	778979325b80c0140f80ecb4558828ed3e8544f4 (diff)
download	aports-c314d18b4e1c932d8670c49f265f919242b7a17b.tar.bz2 aports-c314d18b4e1c932d8670c49f265f919242b7a17b.tar.xz